MDKSA-2002:025

Problembeschreibung

A problem was discovered with the default configuration of the kdm
display manager in Mandrake Linux. By default, it allows XDMCP
connections from any host, which can be used to obtain a login screen
on your system remotely. This can be used to get a list of users on
that host, as displayed by kdm. It can also be used to circumvent
access control mechanisms such as tcpwrappers and root login
restrictions on the console and via remote.
Solution:
To disable remote connections, edit the /etc/X11/xdm/Xaccess file and
change the following two lines:
* #any host can get a login window
* CHOOSER BROADCAST #any indirect host can get a chooser
to:
Please note that Mandrake Linux 8.1 and 8.2 are not vulnerable to this
as newer versions of kdm have a configuration option in the
/usr/share/config/kdm/kdmrc file which explicitly have XDMCP support
disabled.
Also please note that this is only valid if you are running kdm.